Elastic Security Detection Rules

Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation

Last updated 7 days ago on 2025-11-19
Created 7 days ago on 2025-11-19

About

Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation of a JSP web shell file by a Java process in Tomcat's webapps directories. This correlated activity indicates active exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment.
Tags
Domain: EndpointDomain: WebDomain: NetworkOS: LinuxUse Case: Threat DetectionTactic: Initial AccessTactic: PersistenceData Source: Elastic DefendData Source: Network TrafficLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Exploit Public-Facing Application (T1190)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Server Software Component (T1505)(opens in a new tab or window)

False Positive Examples
False positives are expected to be very rare due to the specific nature of this rule. Legitimate application deployments typically do not involve multipart form uploads to .action endpoints followed immediately by JSP file creation in webapps directories. However, custom deployment scripts or automated testing tools that simulate file uploads could potentially trigger this alert. Review the source IP, user agent, uploaded file content, timing, and deployment schedules to validate if the activity is authorized. Standard package manager operations are already excluded from detection.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*logs-network_traffic.*
Related Integrations

endpoint(opens in a new tab or window)

network_traffic(opens in a new tab or window)

Query
sequence by agent.id with maxspan=10s
  [network where data_stream.dataset == "network_traffic.http" and
      http.request.method == "POST" and
      http.request.body.content like "*WebKitFormBoundary*" and
      url.path like~ "*upload*.action"]
  [file where event.dataset == "endpoint.events.file" and
      host.os.type == "linux" and
      event.action == "creation" and
      process.name == "java" and
      file.extension == "jsp" and
      file.path like "*/webapps/*" and
      not file.path like "*/WEB-INF/*" and
      not file.path like "*/META-INF/*" and
      not process.parent.name in ("apk", "apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]

Install detection rules in Elastic Security

Detect Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).